NSA ponies up to secure IPv6

Agency backs project to develop IP encryptors for classified networks

By Jason Miller

Mar 01, 2007

The National Security Agency, known to provide incentives for development or testing of security products, is spending upward of $30 million to ensure IP Version 6 is secure enough to be used on classified networks.

And that is only half the amount that will go into developing High-Assurance IP Encryptor Interoperability Specification (HAIPE IS) Version 3 software to, among other things, protect IPv6 traffic.

'Several Defense Department programs of record have requirements to protect classified IPv6 traffic,' said Ken White, an NSA spokesman.

HAIPE IS is part of a DOD initiative to implement secure, seamless communication over WANs and other private-sector networks.

One of the main reasons NSA took the initiative to award contracts in September'to General Dynamics C4 Systems of Scottsdale, Ariz., L3 Communications Corp. of New York and Viasat Communications Inc. of Carlsbad, Calif.'was the dearth of vendors developing IPv6 security products, especially for classified networks. The vendors must at least match NSA's funding for the encryptors.

The first of these HAIPE IS products should be available by early 2008. DOD and intelligence agencies plan to push IPv6 to their classified networks no later than 2010.

The National Institute of Standards and Technology, meanwhile, contributed the first of what will be many documents to help agencies meet the administration's mandate to move every agency's network backbone to IPv6 by June 2008 by releasing the draft version of the IPv6 profile.

It started reviewing comments early this month and will develop a testing support plan and a guidance on secure operational deployment, said Doug Montgomery, manager of NIST's Internet Working Technologies Group.

'The profile recommends IPv6 capabilities for common network devices, including hosts, routers, intrusion detection systems and firewalls, and includes a selection of IPv6 standards and specifications needed to meet the minimum operational requirements of most federal agencies,' the document said.

With the Office of Management and Budget's deadline approaching, the need for kindling for the fire was obvious, industry and federal experts said.

'Vendors know they need to go there, but it is a business case situation,' said Kris Strance, a senior analyst in the DOD CIO office. 'They need to know there is a demand for the products. We think we have an operational imperative ... but the demand in the commercial market is not there.'Security for nonclassified networks also has been slow to develop.

'Security has not received the same focus as, say, routers,' said John McManus, Commerce Department deputy CIO and co-chairman of the IPv6 working group. 'The Office of Management and Budget's memo said the security must be at least the same, if not higher. If you can't secure your network, you will not bring it online.'

McManus said the IPv6 Committee has added a security working group headed by Education Department deputy CIO Brian Burns. He also said that the CIO Council has defined what exactly is a core network to help agencies plan for the transition.

He said the core network is the upper hierarchy of the network, 'a set of network transport devices that provide the highest level of traffic aggregation.'

McManus added that agencies must at least be able to demonstrate that the core network can accept IPv6 traffic from a subnet or external network and transport it to another subnet or external network.

Strance said there has been a jump in vendor readiness with IPv6 capable firewalls and routers, but there still is a need to prove their worth.

'Network protection devices are a bit tricky to specify because there is a fair amount of variance in how these devices function,' said NIST's Montgomery. 'We had to find a way to specify that [they] provide the same level of capabilities agencies have come to know and expect with v4.'

From NSA's point of view, that expectation was not going to be met without some help.

NSA's White said that while HAIPE IS 3.0 will not be mandated to support all requirements of IPv6, it includes minimum features to support communications security capabilities.

Even without being told to use it, the military services impatiently are waiting for the encryptors, said Mike Guzelian, director of secure voice and data products for General Dynamics C4 Systems.

Guzelian said General Dynamics, which will not have the encryptors ready until early 2008, said it has orders for more than 5,000, mostly from the Navy.

'They are asking for betas,' he said. 'They want to replace older encryptors that cannot be upgraded.'

Guzelian added that the total installed base for government is about 80,000 IP encryptors that will run HAIPE IS.

Bob Nichols, L3's director of networking products, said that while vendors normally develop advanced products as technology changes, this is a significant step up in specifications and new requirements to be IPv6-capable.